Semi-digital blue lens


A quick reference guide for CCPA compliance

Comparing CCPA compliance and the GDPR

The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. Is your organization prepared? Discover how the General Data Protection Regulation (GDPR) has paved the way for CCPA compliance initiatives.

How will CCPA compliance impact businesses?

The CCPA, effective January 1, 2020, will have a significant impact on corporate privacy initiatives across all sectors of the technology, media and entertainment, and telecommunications (TMT) industries. TMT companies that may still be in the process of compliance deployment for the European Union’s (EU) GDPR have some advantages addressing the new requirements, but brands that are primarily focused on the United States and markets in the Americas largely avoided GDPR’s scope. Regardless, the rising tide of privacy concerns among consumers and legislatures globally is driving data privacy mobilization across TMT.

Considered one of the strictest privacy laws in the United States, CCPA provides California residents with the ability to control how businesses process their personal information. Businesses will now have to honor requests from California residents to access, delete, and opt out of sharing or selling their information. Additionally, businesses will have to consider a number of CCPA-specific requirements when updating their privacy programs, such as the CCPA’s prescriptive opt-out measures, and the need to stop selling consumer data upon an individual’s request.

Five frequently asked questions about CCPA compliance

How does the CCPA stack up to the GDPR?

Both the GDPR and the CCPA have a number of similarities. But the CCPA’s unique requirements require focused efforts on the part of businesses to achieve and maintain compliance. Organizations that have previously updated their governance mechanisms and operational implementations to comply with the requirements of the GDPR have an advantage over a business that wasn’t subject to the GDPR. A specific element is transitioning from a point-in-time GDPR project to a scalable, regulatory-agnostic, and efficient privacy program that can be responsive as privacy regulations stabilize and mature.

With clarification from lawmakers on elements of the CCPA still pending, organizations may not have a sense of urgency when it comes to getting their compliance programs ready. But TMT companies should have learned from GDPR that the level of effort for developing a compliance program can be a lengthy process, and it’s critical to get started as soon as possible.

How the CCPA compares to GDPR

Back to top

Third-party risks increase with new privacy regulations

With both the GDPR and CCPA compliance, third-party risk management will likely be challenging for many organizations.

In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data—not to mention fourth and fifth parties.

– Richard Vestuto, a managing director at Deloitte Transactions and Business Analytics LLP.1

Any number of third parties potentially house an organization's data, including external vendors performing marketing, billing, or collections. Under the CCPA and the GDPR, the organization that gathers or processes the personal information is responsible for keeping that data private, which requires a contract in many circumstances.

Organizations should consider a thorough and complete review of existing contracts to inventory and determine which third parties might be collecting, processing, or retaining personal information on that organization’s behalf. Upon identifying those in-scope contracts, the next steps may include amending or renegotiating those contracts to achieve compliance. Additionally, consider different technologies to extract the privacy clauses involved and conduct an analysis against standards and regulatory provisions.

1 “EU GDPR: After the Deadline, What Comes Next?,” CFO Journal, January 10, 2019.

city connected via technology

Finding the upside of new privacy rules

Business leaders understand that doing what needs to be done to create enterprise value often means taking risks. TMT executives should consider viewing data privacy and security not just as a risk management issue but as a potential source of competitive advantage that may be a central component of brand-building and corporate reputation.

The CCPA is coming soon, and it’s likely that additional data privacy regulations will follow in the United States and globally. Planning for CCPA compliance and the potential variety of similar regulations will require focused effort from across an organization. In support of that, organizations can focus on developing mature privacy strategies, with input from all the impacted facets of a business, to manage both the CCPA’s immediate requirements as well as plan for future privacy-related concerns.

Digital rays from office buildings

About Deloitte Risk and Financial Advisory

Deloitte Risk and Financial Advisory helps organizations effectively navigate business risks and opportunities—from strategic, reputation, and financial risks to operational, cyber, and regulatory risks—to gain competitive advantage.

We apply our experience in ongoing business operations and corporate lifecycle events to help clients become stronger and more resilient. Our market-leading teams help clients embrace complexity to accelerate performance, disrupt through innovation, and lead in their industries.

Explore our priority markets:

Back to top

Deloitte Risk and Financial Advisory

Contact us today

Get in touch

Christina De Jong
Deloitte Risk and Financial Advisory

Glen Aga
Managing director | US Cyber Risk Services
Deloitte Risk and Financial Advisory

Richard Vestuto
Managing director
Deloitte Risk and Financial Advisory

Daniel (Dan) Sutter
Senior manager | US Cyber Risk Services
Deloitte Risk and Financial Advisory

Green chat icon

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?